Privacy Policy — UserAuthGuard Theft Recovery

The Theft Recovery Kiosk App is a separate application from the UserAuthGuard Chrome extensions. It is installed only on devices that the school district has explicitly placed into a dedicated /StolenDevices Organizational Unit. It does not run on any other devices and is never installed by individual users.

When a school district administrator marks a Chromebook stolen in their UserAuthGuard dashboard, the device is moved into the district's /StolenDevices OU. On next reboot, this kiosk app auto-launches as the only available environment on that device. It captures location and visible-screen screenshots for the duration of the active recovery session and relays them to the district's UserAuthGuard tenant. Captures stop when the district administrator marks the device recovered.

During an active theft-recovery session only:

• Device serial number: Read once on app launch via the Chrome enterprise.deviceAttributes API. Used to authenticate the device to the district's UserAuthGuard tenant.
• Geolocation: Wi-Fi and IP-based coordinates (Chromebooks do not have GPS). Captured at intervals configured by the district's UserAuthGuard backend, typically every 60 seconds while the session is active.
• Visible-screen screenshots: Captures of the kiosk app's browser surface (a single <webview>). Captured at intervals configured by the backend, typically every 30 seconds.
• Currently displayed URL: The address loaded in the kiosk webview at the moment of each heartbeat.
• Verified Access attestation: A cryptographic proof from the device's TPM that this is a real, school-managed Chromebook (not a spoofed beacon). Included on every heartbeat.

• Webcam, microphone, or any audio/video recordings — ever. The app does not request camera or microphone permissions and cannot access them.
• Keystrokes, clipboard contents, or input field values
• Files on the device
• Browsing history outside the active kiosk session
• Any data when the device is not in the district's /StolenDevices OU
• Any data after the district administrator marks the device recovered
• Personally identifiable information about whoever is currently in front of the device (the app does not perform face recognition, identification, or person-detection)

This kiosk app requests the following Chrome permissions. Each is justified below:

• OU-gated activation: The app only runs on devices the district has placed in its /StolenDevices OU. Devices in any other OU never load this app.
• Audited initiation: Every "mark stolen" action in the UserAuthGuard dashboard requires a reason and reporter, and is logged in the district's immutable audit trail.
• Time-bound: Captures stop the moment the district administrator marks the device recovered. The app shuts itself down on the next heartbeat after recovery.
• Capture data retention: 30-day maximum, per the UserAuthGuard Data Processing Agreement Article 6.5(b). Earlier deletion on recovery confirmation, or on district request.
• False-positive recovery: When a district admin marks a recovery as a false-positive (device wasn't actually stolen), captured data for that session is purged immediately rather than archived.
• Access controls: Captures are restricted to the initiating district administrator and authorized district personnel granted access through UserAuthGuard's role-based permissions.
• Encryption: All captured data is encrypted in transit (TLS 1.2+) and at rest (AES-256). See DPA Article 6.2.
• No advertising, no profiling, no resale: Captured data is used only for device recovery. Not sold, not shared with third parties, not used for any commercial purpose.

Stolen Chromebooks are sometimes in the hands of someone who is not the thief — a returning student, a sibling, a parent who recovered the device, or someone who found it. The Theft Recovery Kiosk App treats this case as follows:

• The district can configure the app to display a visible "Return this device to [School Name] — call [phone]" banner so the holder knows what to do. This is recommended for the "kid borrowed it" case and often resolves the incident on first boot.
• Captured data of incidental holders is auto-deleted on recovery confirmation, never used for student discipline, and never shared outside the district's UserAuthGuard tenant.
• Districts can purge any session's data immediately by selecting "False positive" on recovery.

This kiosk app is operated by Asan Digital LLC (dba UserAuthGuard) on behalf of school districts under their respective Data Processing Agreements. UserAuthGuard acts as a FERPA "school official" with a "legitimate educational interest" (34 CFR 99.31(a)(1)). COPPA consent is provided by the school under the school-consent provision (16 CFR 312.5(c)(3)).

The full contractual framework — including breach notification, sub-processors, retention, and parent access procedures — is published at userauthguard.com/data-processing-agreement/.

The Theft Recovery Kiosk App is a distinct product from the UserAuthGuard Chrome extensions. They have separate code, separate Web Store listings, separate signing keys, and separate privacy policies:

• UAG Theft Recovery (this app) — Kiosk app, only loaded on devices in /StolenDevices OU, on-demand activation by district admin.
• UserAuthGuard Chromebook Monitor (Pro extension) — Browser extension for classroom monitoring, deployed to all student devices by the district. Privacy policy.
• AuthGuard Free — Browser extension that blocks AI/cheating sites locally. Collects no data. Privacy policy.